Auth0 Home Blog Docs

Decoding and Verifying Tokens with different libraries

I recently read a community post on Auth0 token verification here:

The question was asked from the python perspective and it might be referring to something like the jose jwt.decode() method which in the docs says it does both decoding and verification:
https://python-jose.readthedocs.io/en/latest/jwt/api.html?highlight=decode#jose.jwt.decode

That has been my understanding of that particular method in that library but it looks like it differs from other implementations so I’d appreciate a confirmation that at least in the two Python libraries I mention above .decode() is equivalent to both decode and verify together in the Node example mentioned.

Thanks!

Hi @fernando1!

Looking at the jose library your linked, it does indeed look like the decode method also verifies the token signature.

Granted, I did not read through the source code, but it says Verifies a JWT string’s signature and validates reserved claims and has options for verifying all the claims of the token, and they default to true.

I don’t see another python library you mentioned, as the user does not mention a library in particular, but can confirm that the jose library you links claims to decode and verify upon calling the decode method with default options.

For clarity, understanding the difference between the two may be helpful. Decoding a token would be like translating a drivers licence from spanish to english. It can help you understand the contents of the license, but does not prove whether or not it is fraudulent. Verifying a token would be like checking the watermarks, magnetic strip, etc. to verify it is a legitimately issued ID. The method you linked seems to do both.

Hope this helps!

Thanks,
Dan